Mounting Labeled ZFS Datasets

You can apply a label to a ZFS dataset or mount a
ZFS dataset with no label to a zone. The initially unlabeled ZFS dataset
acquires the label of the mounting zone.

ZFS provides a security label attribute, mlslabel, that contains the label of the
data in the dataset. The mlslabel property is inheritable. If the property is
undefined, it defaults to the string none, which indicates no label.

When you mount a ZFS dataset in a labeled zone, the following
occurs:

If the dataset is not labeled, the value of the mlslabel property is changed to the label of the mounting zone.

For the global zone, the mlslabel property is not set automatically. If you explicitly label the dataset admin_low, the dataset must be mounted read-only.

If the dataset is labeled, the kernel verifies that the dataset label matches the label of the mounting zone. If the labels do not match, the mount fails.

If read-down mounts are allowed in the zone, a lower-level dataset mounts read-only.

To set the mlslabel property from the command line, type something similar to
the following:

# zfs set mlslabel=public export/publicinfo

The file_upgrade_sl privilege is required to set an initial label or to change
a non-default label to a higher-level label. The file_downgrade_sl privilege is required to
remove a label, that is, to set the label to none. This privilege is
also required to change a non-default label to a lower-level label. When a
ZFS dataset has an explicit label, the dataset cannot be mounted on
an Oracle Solaris system that is not configured with Trusted Extensions.